b'Audit Report\n\n\n\n\nOIG-14-001\nINFORMATION TECHNOLOGY: OCC\xe2\x80\x99s Network and Systems\nSecurity Controls Were Deficient\n\n\nOctober 17, 2013\n\n\n\n\nOffice of\nInspector General\nDepartment of the Treasury\n\x0c\x0cContents\n\nAudit Report\n\n  Results in Brief ........................................................................................ 1\n\n  Background ............................................................................................ 4\n\n  Findings and Recommendations ................................................................ 4\n\n      Default Usernames and Passwords Were Present in OCC\xe2\x80\x99s Systems ......... 4\n      Recommendations............................................................................... 6\n\n      OCC Did Not Fully Implement Least Privilege Controls ............................. 8\n      Recommendations............................................................................... 9\n\n      PII on OCC\xe2\x80\x99s Public-Facing Web Server Was Vulnerable to Unauthorized\n      Access ............................................................................................ 10\n      Recommendation ............................................................................... 11\n\n      OCC\xe2\x80\x99s E-mail Servers Were Vulnerable to Spoofed E-mail (Repeat Finding) 12\n      Recommendation ............................................................................... 12\n\n      OCC\xe2\x80\x99s Configuration Management Needs Improvement (Repeat Finding) .. 13\n      Recommendations.............................................................................. 14\n\n      OCC\xe2\x80\x99s Help Desk Was Susceptible to Social Engineering Attacks ............ 15\n      Recommendation ............................................................................... 16\n\n      OCC\xe2\x80\x99s Patch and Version Management Needs Improvement\n      (Repeat Finding) ................................................................................ 16\n      Recommendation ................................................................................ 18\n\nAppendices\n\n  Appendix     1:      Objective, Scope, and Methodology ...................................             20\n  Appendix     2:      Management Response ....................................................          22\n  Appendix     3:      Major Contributors to This Report ......................................          26\n  Appendix     4:      Report Distribution ...........................................................   27\n\n\n\n\n                       OCC\xe2\x80\x99s Network and Systems Security Controls Were Deficient             Page i\n                       (OIG-14-001)\n\x0cAbbreviations\n\n  Fiscal Service   Bureau of the Fiscal Service\n  IP               Internet Protocol\n  IT               Information Technology\n  NIST SP          National Institute of Standards and Technology Special\n                   Publication\n  OCC              Office of the Comptroller of the Currency\n  OIG              Treasury Office of Inspector General\n  PII              Personally Identifiable Information\n  TNet             Treasury Network\n\n\n\n\n                   OCC\xe2\x80\x99s Network and Systems Security Controls Were Deficient   Page ii\n                   (OIG-14-001)\n\x0c                                                                                     Audit\nOIG\nThe Department of the Treasury\n                                                                                     Report\nOffice of Inspector General\n\n\n\n                      October 17, 2013\n\n                      Thomas J. Curry\n                      Comptroller of the Currency\n\n                      This report represents the results of our audit of network and\n                      systems security at the Office of the Comptroller of the\n                      Currency (OCC). Our objective was to determine whether\n                      sufficient protections exist to prevent and detect unauthorized\n                      access into OCC\xe2\x80\x99s network and systems.\n\n                      To accomplish our objective, we performed a series of internal\n                      and external vulnerability assessments and penetration tests on\n                      OCC\xe2\x80\x99s workstations, servers, network-attached peripherals\n                      (such as cameras and printers), infrastructure devices, and\n                      Internet websites. We also tested the physical security of\n                      OCC\xe2\x80\x99s headquarters and performed social engineering tests by\n                      e-mail and phone phishing.1 Additionally, we followed up on the\n                      findings in our prior report from 2008.2 Due to the time that has\n                      passed since our prior report, we did not determine if the\n                      findings that are repeated in this report were issues that had\n                      been resolved and then deteriorated back to the initial condition,\n                      or if they were long standing issues that had not been\n                      addressed. We performed our fieldwork in Washington, DC, in\n                      February and March 2013. Our objective, scope, and\n                      methodology are described in more detail in appendix 1.\n\nResults in Brief\n                      We determined that OCC\xe2\x80\x99s security measures were not\n                      sufficient to fully prevent and detect unauthorized access into\n\n1\n  Phishing is a fraud method where the perpetrator uses what appears to be official communication\nsuch as e-mail or phone calls in an attempt to gather information from recipients.\n2\n  OIG, Information Technology: Network Security at the Office of the Comptroller of the Currency\nNeeds Improvement, OIG-08-035 (June 3, 2008)\n\n\n\n                      OCC\xe2\x80\x99s Network and Systems Security Controls Were Deficient            Page 1\n                      (OIG-14-001)\n\x0c                       its network and systems by internal threats,3 or external\n                       threats4 that gained an internal foothold. Also, OCC\xe2\x80\x99s security\n                       measures were not adequate to fully protect personally\n                       identifiable information (PII) from Internet-based threats. On a\n                       positive note, we found that physical security at OCC\xe2\x80\x99s new\n                       headquarters location was adequate.\n\n                       Our test results revealed that not all required security controls\n                       were consistently applied over OCC\xe2\x80\x99s network and systems. To\n                       test for weaknesses in controls intended to thwart internal\n                       threats, we were given the typical access provided to any OCC\n                       employee \xe2\x80\x94 OCC access badges, an OCC-issued laptop\n                       computer, and a local network account, as well as network\n                       access for Treasury Office of Inspector General (OIG) test\n                       laptops. Using OIG test laptops, configured with network\n                       assessment and penetration tools, we discovered factory-preset\n                       default usernames and passwords were being used on several\n                       systems. With that knowledge, we exploited the systems with\n                       our penetration test tool and found clear text passwords that\n                       allowed us to log onto several systems using local and network\n                       administrative accounts. Once we had access to these\n                       administrative accounts, we created a domain administrator\n                       account for ourselves. With this account, we had full control of\n                       every OCC computer. We had permissions to do anything on\n                       any computer, from viewing what was running on users\xe2\x80\x99\n                       desktops to saving and deleting files on file servers to adding\n                       and deleting accounts on the domain controller.\n\n                       In performing another test on internal threats, we used\n                       employee information posted on OCC\xe2\x80\x99s intranet and available to\n                       all OCC employees. With that information, we were able to\n                       impersonate an OCC employee and convince OCC\xe2\x80\x99s Help Desk\n                       to reset that employee\xe2\x80\x99s password, thereby giving us full access\n                       to the user\xe2\x80\x99s account.\n\n\n\n3\n  An internal or insider threat is a current or former employee, contractor, or other business partner\nwho has or had authorized access to a network, system, or data, and intentionally exceeds or\nmisuses that access, resulting in a negative effect on the organization\xe2\x80\x99s information security.\n4\n  An external threat is a threat originating outside the organization.\n\n\n                       OCC\xe2\x80\x99s Network and Systems Security Controls Were Deficient                Page 2\n                       (OIG-14-001)\n\x0c                         To illustrate examples of weaknesses in controls intended to\n                         thwart external threats, we prepared and sent spoofed e-mails\n                         to OCC users using an e-mail client5 on an OIG laptop computer\n                         to connect to OCC\xe2\x80\x99s e-mail server through the Internet. This\n                         server was operated by the Bureau of the Fiscal Service (Fiscal\n                         Service) on behalf of OCC. Also, we successfully downloaded\n                         through the Internet on an OIG laptop, PII from a public web\n                         server owned and managed by OCC. The outcomes of these\n                         tests are explained in our findings later in this report.\n\n                         We consider the breadth, depth, and potential impact of the\n                         network security deficiencies as serious matters that require\n                         prompt corrective action by OCC management. In all, we are\n                         reporting seven findings:\n\n                         1. Default usernames and passwords were present in OCC\xe2\x80\x99s\n                            systems\n                         2. OCC did not fully implement least privilege controls\n                         3. PII on OCC\xe2\x80\x99s public-facing web server was vulnerable to\n                            unauthorized access\n                         4. OCC\xe2\x80\x99s e-mail servers were vulnerable to spoofed e-mail\n                            (Repeat Finding)\n                         5. OCC\xe2\x80\x99s configuration management needs improvement\n                            (Repeat Finding)\n                         6. OCC\xe2\x80\x99s Help Desk was susceptible to social engineering\n                            attacks\n                         7. OCC\xe2\x80\x99s patch and version management needs improvement\n                            (Repeat Finding)\n\n                         We are making 11 recommendations to address these findings.\n\n                         In a written response to a draft copy of this report, OCC\n                         management concurred with our findings and recommendations,\n                         and provided its corrective actions taken and planned (see\n                         appendix 2). OCC\xe2\x80\x99s stated and planned corrective actions are\n                         responsive to the intent of our recommendations.\n\n\n\n5\n    An email client is a computer program used to access an email server.\n\n\n                         OCC\xe2\x80\x99s Network and Systems Security Controls Were Deficient   Page 3\n                         (OIG-14-001)\n\x0cBackground\n             OCC was created by Congress to charter national banks, to\n             oversee a nationwide system of banking institutions, and to\n             assure that national banks are safe and sound, competitive and\n             profitable, and capable of serving in the best possible manner\n             the banking needs of their customers. OCC\xe2\x80\x99s network and\n             systems are integral parts of its mission support structure.\n             Several OCC systems contain PII collected during examinations\n             and other oversight activities. As a federal agency, OCC is\n             prohibited by law from releasing PII to the public.\n\n             Because OCC\xe2\x80\x99s computers are connected with each other, other\n             bureaus\xe2\x80\x99 networks, and the Internet, it is important that proper\n             configurations and controls be in place to ensure that only\n             authorized users are granted access. Unauthorized access to\n             OCC\xe2\x80\x99s network could provide an intruder with the opportunity\n             to compromise the confidentiality, integrity, and availability of\n             sensitive information. Once inside, unauthorized users could\n             extract, delete, or modify sensitive data; discover user names\n             and passwords; and launch denial-of-service attacks. If these\n             unauthorized activities are not prevented or timely detected,\n             such activities could result in compromises of information and\n             systems, and thus hinder OCC\xe2\x80\x99s mission.\n\nFindings and Recommendations\nFinding 1    Default Usernames and Passwords Were Present in\n             OCC\xe2\x80\x99s Systems\n             We found that default factory-preset administrative usernames\n             and passwords were present in OCC\xe2\x80\x99s systems. In one test we\n             conducted, we discovered a default username and password of\n             an internal service account on an OCC server which had local\n             administrator privileges. We used those privileges and deployed\n             our penetration test tool\xe2\x80\x99s agents to the host server. That server\n\n\n\n\n             OCC\xe2\x80\x99s Network and Systems Security Controls Were Deficient   Page 4\n             (OIG-14-001)\n\x0c                       contained password hashes6 for local and domain administrator\n                       accounts. Using these hashes, we obtained a domain\n                       administrator\xe2\x80\x99s password, which we then used to log on to the\n                       network domain controller.7 With full access given to a typical\n                       domain administrative account, we created a domain\n                       administrator account and thereby had full control of OCC\xe2\x80\x99s\n                       network.\n\n                       During a different test, we were able to access a management\n                       console8 on an OCC website by using a default factory-preset\n                       password. Using the information from the console, we gained\n                       access to PII. The details of PII access are described in\n                       Finding 3.\n\n                       In another test, we discovered and used factory-preset\n                       usernames and passwords for local administrative accounts to\n                       access printers, Internet Protocol (IP) cameras, IP camera\n                       servers, network infrastructure devices, and voice-over-IP\n                       devices. Each account provided full control of the device,\n                       including the capability to change configuration, accounts, and\n                       data on the device.\n\n                       National Institute of Standards and Technology Special\n                       Publication (NIST SP) 800-53, Revision 3, \xe2\x80\x9cRecommended\n                       Security Controls for Federal Information Systems,\xe2\x80\x9d requires\n                       organizations to manage passwords for users and devices by\n                       changing the default password upon installation. Furthermore,\n                       OCC\xe2\x80\x99s Master Security Control Catalog, v2.0.1, dated\n                       December 2012, requires that all default account passwords be\n                       changed.\n\n                       OCC staff stated that their \xe2\x80\x9ccommon practice\xe2\x80\x9d is to change\n                       default usernames and passwords. After being briefed on our\n\n6\n  A password hash is the result of a password that has been transformed into another string of\nalphanumeric characters by a one-way algorithm (i.e., you cannot recover the original password by\nsimply using the hash).\n7\n  Domain controllers are computers that use one shared directory to store security and user-account\ninformation for an entire Windows domain.\n8\n  A management console is a tool that allows someone to modify information, passwords, and\nsystem settings.\n\n\n                       OCC\xe2\x80\x99s Network and Systems Security Controls Were Deficient            Page 5\n                       (OIG-14-001)\n\x0cfindings, they informed us that they scanned a sample of\nnetwork assets but were unable to find any system or machine\nconfigured with default passwords. They also said that the\npasswords on the IP cameras were not changed because the\ncameras were low-risk to OCC. We did not receive any\ndocumentation of this \xe2\x80\x9ccommon practice\xe2\x80\x9d that would make it a\nstandard procedure, nor were we provided with the sample that\nOCC staff scanned.\n\nBy leaving default usernames and passwords unchanged, those\nwho pose a threat to information technology (IT) security could\neasily access OCC\xe2\x80\x99s network and systems. The aggregate\neffect of the presence of these default usernames and\npasswords is that attackers could have unrestricted access to\nthese devices and the data stored on them, especially the\npassword hash for local and domain administrative accounts.\n\nIn accordance with our Rules of Engagement, we did not\nattempt to perform actions that would disrupt OCC\xe2\x80\x99s\noperations, such as deleting data, powering off servers or other\nresources, locking out accounts, and similar activities, any of\nwhich could have resulted in interruption or shutdown of\ndevices or services. However, malicious attackers would have\nno such restrictions against performing these actions.\n\nRecommendations\n\nWe recommend that the Comptroller of the Currency:\n\n1. Develop and implement a standard procedure requiring\n   default usernames and passwords be changed on all systems\n   and devices.\n\n   Management Response\n\n   OCC updated its standard operating procedures in June\n   2013 to provide guidance that will ensure that all default\n   user names and passwords are changed on all systems and\n   devices. The updated standard operating procedures require\n   all devices to be subject to management controls, which\n   include specific checks in the review and approval process to\n\nOCC\xe2\x80\x99s Network and Systems Security Controls Were Deficient   Page 6\n(OIG-14-001)\n\x0c   ensure that usernames and passwords are changed prior to\n   introducing new or modified software and/or devices to the\n   network.\n\n   OIG Comment\n\n   Management\xe2\x80\x99s stated corrective action is responsive to our\n   recommendation.\n\n2. Change all default usernames and passwords on all systems\n   and devices in an expeditious manner.\n\n   Management Response\n\n   All default usernames and passwords were changed or\n   updated effective September 2, 2013.\n\n   OIG Comment\n\n   Management\xe2\x80\x99s stated corrective action is responsive to our\n   recommendation.\n\n3. Periodically review accounts to detect default usernames and\n   passwords on all systems and devices, and, when detected,\n   change them.\n\n   Management Response\n\n   Effective August 16, 2013, OCC began monthly scans to\n   identify default user names and passwords on software and\n   network devices which results in a Default Credentials\n   report. In addition, OCC also conducts a Network\n   Penetration Test every other month producing the Network\n   Penetration Test report. These reports identify default\n   usernames and passwords across network devices. OCC\n   immediately remediates any findings. Results are periodically\n   reported to the OCC Chief Information Officer and other\n   OCC IT officials.\n\n\n\n\nOCC\xe2\x80\x99s Network and Systems Security Controls Were Deficient   Page 7\n(OIG-14-001)\n\x0c                            OIG Comment\n\n                            Management\xe2\x80\x99s stated corrective action is responsive to our\n                            recommendation.\n\nFinding 2               OCC Did Not Fully Implement Least Privilege Controls\n                        We observed that OCC had not implemented least privilege\n                        controls9 in a way that effectively restricted our ability, or an\n                        attacker\xe2\x80\x99s ability, to launch attacks within OCC\xe2\x80\x99s network. We\n                        noted that OCC\xe2\x80\x99s network is \xe2\x80\x9cflat,\xe2\x80\x9d meaning that it lacks\n                        subnets and partitions that restrict access. Consequently, there\n                        is an increased risk that attacks could spread easily and rapidly\n                        throughout a \xe2\x80\x9cflat network.\xe2\x80\x9d Over the course of our audit, we\n                        successfully compromised OCC workstations, servers, and\n                        other network-attached devices. From our workstations, we\n                        were able to compromise OCC systems in Tulsa, Wichita, New\n                        York, and Washington, D.C.; OCC systems used by business\n                        units, including the Office of the Ombudsman; and OCC\n                        systems used by its examiners in a number of locations. We\n                        also discovered that many systems were configured with the\n                        same local administrative password. The situation was\n                        compounded because of an extraordinarily high number of\n                        domain administrator accounts on the network\xe2\x80\x99s domain\n                        controller. In addition to a higher than expected number of\n                        domain administrators, we found that a number of service\n                        accounts had far greater administrative privileges than should\n                        have been necessary for such accounts.10\n\n                        NIST SP 800-53, Revision 3, \xe2\x80\x9cRecommended Security Controls\n                        for Federal Information Systems,\xe2\x80\x9d requires organizations employ\n                        the concept of least privilege and only allow access necessary\n                        to accomplish assigned tasks in accordance with organizational\n                        missions and business functions.\n\n\n9\n  The principle of least privilege is the practice of allowing only access at the minimal level that will\nallow normal business functions to take place. This translates to giving people and processes the\nlowest level of rights available that allow them to still do their jobs.\n10\n   A service account is a user account that is created explicitly to provide a security context (i.e.,\nprivileges and restrictions) for services running on a server, as opposed to a human user.\n\n\n                        OCC\xe2\x80\x99s Network and Systems Security Controls Were Deficient                  Page 8\n                        (OIG-14-001)\n\x0cAn OCC official stated that the network functions met the\nneeds of the organization and access to network assets was\nappropriately restricted. The official also noted that OCC\xe2\x80\x99s\nnetwork did not restrict traffic between physical locations or\nbusiness units. That said, we were also informed that OCC\npersonnel have not performed a risk analysis of a \xe2\x80\x9cflat network\xe2\x80\x9d\nas compared to a more internally segmented one.\n\nBecause systems and devices connected to OCC\xe2\x80\x99s internal\nnetwork could freely communicate between one another, with\nvery little internal partitioning, we successfully attacked multiple\nOCC systems in a very short amount of time from a single\nworkstation. OCC\xe2\x80\x99s \xe2\x80\x9cflat network\xe2\x80\x9d configuration allowed us to\nreuse password hashes we found on previously compromised\nmachines and to gather more information using compromised\ndevices. Moreover, the \xe2\x80\x9cflat network\xe2\x80\x9d increased the attack\nsurface by giving us easy access to the entire network once a\nfoothold on any system was established. As a result, OCC\xe2\x80\x99s\nfailure to segment the network and implement least privilege\nenabled us to move through the network unimpeded.\nFurthermore, OCC\xe2\x80\x99s practice of using the same local\nadministrator passwords contributed to the speed and ease with\nwhich we compromised systems on the network. The use of\nfactory default passwords allowed for much of the same.\nFinally, having a large number of unnecessary domain\nadministrator accounts increased risks of attackers targeting\nand exploiting powerful accounts and account holders.\n\nRecommendations\n\nWe recommend that the Comptroller of the Currency:\n\n1. Conduct a risk assessment of OCC\xe2\x80\x99s network topology and\n   implement appropriate least privilege controls.\n\n   Management Response\n\n   OCC will complete a comprehensive assessment to quantify\n   the risks and gaps associated with the legacy \xe2\x80\x9cflat\xe2\x80\x9d network\n   topology, and will develop a network topology architecture\n   and roadmap for enabling appropriate least privilege controls\n   by December 31, 2013.\n\nOCC\xe2\x80\x99s Network and Systems Security Controls Were Deficient    Page 9\n(OIG-14-001)\n\x0c               OIG Comment\n\n               Management\xe2\x80\x99s planned corrective actions are responsive to\n               our recommendation.\n\n            2. Restrict network access as required by business needs and\n               in accordance with risk assessment results and least\n               privilege principles.\n\n               Management Response\n\n               OCC strengthened its policies, procedures, and network\n               scanning for managing accounts with elevated privileges.\n               These changes mandate that elevated privileges are granted\n               based on specific roles and subjected to a multi-tiered review\n               and approval adjudication process. The domain administrator\n               accounts have been adjudicated and rationalized. Other\n               relevant accounts will be rationalized by December 15,\n               2013, and service accounts will be rationalized by March 31,\n               2014. OCC will execute an approved network topology\n               architecture and roadmap to restrict network access in\n               accordance with business needs and least privilege principles\n               by March 17, 2014.\n\n               OIG Comment\n\n               Management\xe2\x80\x99s stated and planned corrective actions are\n               responsive to our recommendation.\n\nFinding 3   PII on OCC\xe2\x80\x99s Public-Facing Web Server Was Vulnerable\n            to Unauthorized Access\n            We found that PII was vulnerable to unauthorized access on\n            OCC\xe2\x80\x99s Internet website, ComplaintReferralExpress.gov. This is a\n            web-based system that allows OCC and other state and federal\n            regulators and offices to exchange consumer complaints about\n            institutions they do not supervise. We were able to use a\n            factory-preset username and password for the website\xe2\x80\x99s\n            management console to modify system settings and gather\n            sensitive information. Among the information found on this\n            server, we were able to gather names of bank customers who\n\n\n            OCC\xe2\x80\x99s Network and Systems Security Controls Were Deficient   Page 10\n            (OIG-14-001)\n\x0chad filed complaints and their associated phone numbers, street\naddresses, and e-mail addresses.\n\nThe Privacy Act requires federal agencies to establish\nappropriate administrative, technical, and physical safeguards to\nprotect the security and confidentiality of records about\nindividuals. Additionally, OCC entered into Memoranda of\nUnderstanding with state and federal agencies that require OCC\nmaintain appropriate safeguards to protect non-public and\nconfidential information.\n\nOCC officials stated that they were not aware that the\nwebsite\xe2\x80\x99s management console was available to the Internet.\n\nFailure to provide adequate protections for PII on the\nComplaintReferralExpress.gov website could allow attackers to\nobtain bank customers\xe2\x80\x99 personal information for malicious\nintent.\n\nRecommendation\n\nWe recommend that the Comptroller of the Currency implement\nsafeguards to protect PII on OCC\xe2\x80\x99s Internet website.\n\nManagement Response\n\nOCC changed the default password on the website on April 24,\n2013 and decoupled the management console from the publicly\nfacing website on May 28, 2013. To ensure these websites\nremain secure, OCC runs monthly vulnerability scans that detect\nweaknesses. In summary, OCC (1) updated its policy and\nprocedures for securing websites with PII; (2) implemented tools\nand manual testing to conduct monthly security testing of all of\nits external websites; and (3) tested the specific method the\nauditors used to exploit the website to ensure it could not be\nreproduced on any other OCC websites.\n\nOIG Comment\n\nManagement\xe2\x80\x99s stated corrective actions are responsive to our\nrecommendation.\n\n\nOCC\xe2\x80\x99s Network and Systems Security Controls Were Deficient   Page 11\n(OIG-14-001)\n\x0cFinding 4   OCC\xe2\x80\x99s E-mail Servers Were Vulnerable to Spoofed\n            E-mail (Repeat Finding)\n            We found that OCC\xe2\x80\x99s e-mail servers allowed unauthenticated\n            e-mails to be sent to any of OCC\xe2\x80\x99s e-mail users from outside of\n            Treasury with a spoofed occ.treas.gov source address. As a\n            result, we successfully sent from an OIG laptop, spoofed\n            e-mails to OCC e-mail users with forged OCC e-mail headers so\n            that the message appeared to have been originated from within\n            OCC. This vulnerability was previously identified in our 2008\n            report.\n\n            Treasury Directive Publication 85-01, \xe2\x80\x9cTreasury Information\n            Technology Security Program,\xe2\x80\x9d requires all inbound e-mail with\n            a sender address claiming to be from a Treasury entity to be\n            verified as having originated from a trusted Treasury e-mail\n            system.\n\n            An OCC official provided us with the Interconnection Security\n            Agreement where OCC agreed to have Fiscal Service manage\n            its inbound e-mail traffic from the Internet to its servers. We\n            discussed the vulnerability in the e-mail servers with OCC and\n            Fiscal Service personnel, and OCC officials stated they would\n            work with Fiscal Service to resolve the issue.\n\n            If mail servers allow e-mails to be sent without authentication,\n            there is an increased risk of servers being exploited by attackers\n            by sending malicious e-mails or spam. Spoofed e-mails, as\n            described above, appear legitimate and lend credibility to\n            phishing attacks.\n\n            Recommendation\n\n            We recommend that the Comptroller of the Currency work with\n            Fiscal Service to ensure controls are put in place to prevent\n            spoofed e-mails from being sent to or through OCC servers.\n\n            Management Response\n\n            In consultation with Fiscal Service and OIG, OCC implemented\n            an alternate strategy to address the identified vulnerability, and\n\n            OCC\xe2\x80\x99s Network and Systems Security Controls Were Deficient   Page 12\n            (OIG-14-001)\n\x0c                      OCC began blocking unauthorized source spoofing of the\n                      occ.treas.gov domain effective August 31, 2013.\n\n                      OIG Comment\n\n                      Management\xe2\x80\x99s stated corrective action is responsive to our\n                      recommendation.\n\nFinding 5             OCC\xe2\x80\x99s Configuration Management Needs Improvement\n                      (Repeat Finding)\n                      As part of our network and system security assessment, we\n                      performed network scans to detect systems, devices, and\n                      network services running on the OCC domain. We discovered\n                      222 unique open ports11 running network services on systems\n                      and devices throughout the network. This vulnerability was\n                      previously identified in our 2008 report.12\n\n                      NIST SP 800-53, Revision 3, \xe2\x80\x9cRecommended Security Controls\n                      for Federal Information Systems,\xe2\x80\x9d requires organizations restrict\n                      the use of ports, protocols, and services not required for\n                      business purposes. Additionally, it requires organizations to\n                      identify, document, and approve exceptions to the mandatory\n                      configuration settings. Organizations are required to monitor\n                      their systems and applications for changes to these\n                      configuration settings.\n\n                      According to an OCC official, unauthorized software, ports and\n                      services discovered on workstations were likely installed or\n                      configured when OCC general users had administrative\n                      privileges on their workstations. The official stated that these\n                      privileges were removed in 2012 and OCC scanned for\n                      unnecessary ports and services at least annually. However,\n                      when we provided a sample of open ports and asked why they\n                      were open on servers, OCC officials could only provide us with\n                      the causes for some of these open ports. Furthermore, OCC\n\n11\n   A port is a means by which a program or service on one system can communicate with a program\nor service located on another system.\n12\n   OIG, Information Technology: Network Security at the Office of the Comptroller of the Currency\nNeeds Improvement, OIG-08-035 (June 3, 2008)\n\n\n                      OCC\xe2\x80\x99s Network and Systems Security Controls Were Deficient          Page 13\n                      (OIG-14-001)\n\x0cofficials could not provide us with approved business\njustifications for any of the open ports in our sample.\n\nAllowing unnecessary open ports and services increases the\nattack surface available to attackers by permitting unmonitored\nand potentially vulnerable services to run on the network. These\nservices provide an attacker with a wider array of potential\nvulnerabilities to exploit. Failure to monitor and document open\nports and services makes it difficult for an organization to\ncontrol and track changes to its environment, and provides a\nmeans by which an attacker could run malicious services\nundetected.\n\nRecommendations\n\nWe recommend that the Comptroller of the Currency:\n\n1. Develop and implement procedures to identify, document,\n   and approve base configuration settings for ports and\n   services.\n\n   Management Response\n\n   OCC\xe2\x80\x99s policy requires that mandatory configuration settings\n   be established for information technology devices. To ensure\n   consistent implementation of this policy, OCC will (1)\n   complete a baseline comprehensive configuration document\n   reflecting the OCC\xe2\x80\x99s business needs for using ports and\n   services by September 30, 2013; (2) update the existing\n   configuration management process to include the\n   identification and documentation of essential ports and\n   services for application and hardware changes effective\n   October 31, 2013; and (3) continue its existing monitoring\n   and assessment processes to verify compliance with the\n   baseline configurations.\n\n   OIG Comment\n\n   Management\xe2\x80\x99s planned corrective actions are responsive to\n   our recommendation.\n\n\n\nOCC\xe2\x80\x99s Network and Systems Security Controls Were Deficient   Page 14\n(OIG-14-001)\n\x0c            2. Disable or remove unnecessary or unused services or open\n               ports.\n\n               Management Response\n\n               New personal computers deployed OCC-wide in fiscal year\n               2013 restrict configuration changes and ability to install\n               software, thereby limiting the desktop to approved-only open\n               ports and services. By October 1, 2013, OCC will implement\n               procedures to incorporate monthly monitoring and immediate\n               disabling or removal of unauthorized ports and services for\n               all network devices and applications; and by March 31,\n               2014, OCC will disable or remove all unnecessary or unused\n               services or open ports identified by this audit.\n\n               OIG Comment\n\n               Management\xe2\x80\x99s planned corrective actions are responsive to\n               our recommendation.\n\nFinding 6   OCC\xe2\x80\x99s Help Desk Was Susceptible to Social\n            Engineering Attacks\n            We found that OCC\xe2\x80\x99s Help Desk was susceptible to social\n            engineering attacks. The standard procedure used by the Help\n            Desk to verify a user\xe2\x80\x99s identity only required information that\n            was available to all OCC users via OCC\xe2\x80\x99s internal network.\n            Using available employee information, we impersonated an OCC\n            employee and were able to convince Help Desk to reset the\n            employee\xe2\x80\x99s password whom we impersonated. Once changed,\n            we could have used that password to compromise the\n            employee\xe2\x80\x99s account. Based on the success of our attempt\n            combined with the Help Desk\xe2\x80\x99s use of a standard procedure to\n            verify user identity, we decided to forgo further testing to\n            minimize disruption to OCC users.\n\n            NIST SP 800-53, Revision 3, \xe2\x80\x9cRecommended Security Controls\n            for Federal Information Systems,\xe2\x80\x9d requires organizations to\n            verify the identity of the individual receiving a new password.\n\n\n\n\n            OCC\xe2\x80\x99s Network and Systems Security Controls Were Deficient   Page 15\n            (OIG-14-001)\n\x0c            OCC officials told us that they were unaware that the\n            information used by the Help Desk to validate user identities\n            was available to all OCC employees until we brought this issue\n            to their attention.\n\n            Depending on whose account was targeted, an attacker could\n            obtain a new password for a user account with access to\n            administrative privileges or access to sensitive and privileged\n            information. An attacker could also perform overt malicious\n            activities while logged onto a legitimate user account with a\n            fraudulently reset password. Once an attacker resets an\n            account\xe2\x80\x99s password, the legitimate user of the account would\n            not be able to log on to the account, until they requested a\n            password reset.\n\n            Recommendation\n\n            We recommend that the Comptroller of the Currency improve\n            the Help Desk\xe2\x80\x99s procedures for verification of user identities to\n            prevent impersonation. The procedures should provide for\n            verification of user identity information that is not available to\n            others.\n\n            Management Response\n\n            On July 22, 2013, OCC implemented a new method for\n            password reset which does not use information available to\n            others. All users and OCC IT staff were informed of the\n            changes, and internal controls within IT Customer Support were\n            implemented to ensure compliance with the new policy.\n\n            OIG Comment\n\n            Management\xe2\x80\x99s stated corrective actions are responsive to our\n            recommendation.\n\nFinding 7   OCC\xe2\x80\x99s Patch and Version Management Needs\n            Improvement (Repeat Finding)\n            We found 19 instances of unsupported or outdated versions of\n            software (operating systems, database management systems,\n\n            OCC\xe2\x80\x99s Network and Systems Security Controls Were Deficient   Page 16\n            (OIG-14-001)\n\x0c                      and web application servers) in use on OCC\xe2\x80\x99s network.\n                      Specifically, we found the following:\n\n                      Operating Systems (13 instances found):\n\n                         \xef\x82\xb7   4 servers running Windows Server 2003 Service Pack 1,\n                             unsupported after April 2009.\n                         \xef\x82\xb7   4 workstations running Windows XP Service Pack 2,\n                             unsupported after July 2010.\n                         \xef\x82\xb7   5 servers running Debian Linux 4.0, unsupported after\n                             February 2012.\n\n                      Database Management Systems (2 instances found):\n\n                         \xef\x82\xb7   1 server running Oracle MySQL 5.0.18. Oracle has\n                             announced that no new Maintenance Releases, Bug\n                             Fixes, Patches, and updates would be released as of\n                             January 2012.\n                         \xef\x82\xb7   1 server running Oracle MySQL 5.0.95. Oracle has\n                             announced that no new Maintenance Releases, Bug\n                             Fixes, Patches, and updates would be released as of\n                             January 2012.\n\n                      Web Application Servers (4 instances found):\n\n                         \xef\x82\xb7   4 instances of a vulnerable web service (Apache\n                             Tomcat13 4.1.18-4.1.29). Tomcat 4.1.x was last updated\n                             June 2009 and it is no longer being updated by its\n                             developers. The current versions are 6.0.x, released in\n                             December 2006, and 7.0.x, released in January 2011.\n\n                      With respect to the Operating Systems, OCC staff told us that\n                      their workstations were running fully supported Microsoft\n                      operating systems. However, when OCC staff conducted their\n                      own scan, it also identified four instances of Microsoft\n                      Windows XP Service Pack 2. They did not explain the presence\n                      of those instances in their scan. With respect to the other\n\n13\n  Apache Tomcat is a web server that is an open source software implementation of the Java\nServlet and JavaServer Pages technologies.\n\n\n                      OCC\xe2\x80\x99s Network and Systems Security Controls Were Deficient        Page 17\n                      (OIG-14-001)\n\x0coperating systems, the Database Management Systems, and\nthe Web Application Servers, OCC staff initially disagreed with\nthe instances of outdated software identified by our scan, but\nlater told us that the instances had been addressed through\nupgrades, decommissioning of the software, or determined they\nare not a security risk. We did not, as part of our audit, verify\nthat these actions had been taken.\n\nNIST SP 800-53, Revision 3, \xe2\x80\x9cRecommended Security Controls\nfor Federal Information Systems and Organizations,\xe2\x80\x9d states that\norganizations must promptly install security-relevant software\nupdates (e.g., patches, service packs, and hot fixes).\n\nThis finding was previously identified in our 2008 report, and is\na matter that requires continuous management attention.\nSystems running unsupported operating systems, database\nmanagement systems, or web services do not and cannot\nreceive patches or updates from the software providers in\nresponse to security threats from newly discovered\nvulnerabilities.\n\nRecommendation\n\nWe recommend that the Comptroller of the Currency ensure\nthat systems and applications are running supported and up-to-\ndate operating systems.\n\nManagement Response\n\nOn June 6, 2013, OCC implemented a bi-weekly network\nscanning procedure for detecting instances of end-of-life\nsoftware. By September 30, 2013, OCC will implement an end-\nof-life and unsupported software policy, and will implement\nprocedures for upgrading software on workstations, servers,\nand network devices. By November 30, 2013, all instances of\nend-of-life software identified by this audit will be resolved.\n\nOIG Comment\n\nManagement\xe2\x80\x99s stated and planned corrective actions are\nresponsive to our recommendation.\n\n\nOCC\xe2\x80\x99s Network and Systems Security Controls Were Deficient   Page 18\n(OIG-14-001)\n\x0c                                ******\n\nI would like to extend my appreciation to Edward Dorris, Chief\nInformation Officer, and OCC staff for the cooperation and\ncourtesies extended to my staff during the audit. If you have\nany questions, please contact me at 202-927-5171 or Larissa\nKlimpel, Information Technology Audit Manager, at\n202-927-0361. Major contributors to this report are listed in\nappendix 3.\n\n/s/\n\nTram Jacquelyn Dang\nAudit Director\n\n\n\n\nOCC\xe2\x80\x99s Network and Systems Security Controls Were Deficient   Page 19\n(OIG-14-001)\n\x0c                      Appendix 1\n                      Objective, Scope, and Methodology\n\n\n\n                      Our objective for this audit was to determine whether sufficient\n                      protections exist to prevent and detect unauthorized access into\n                      the Department of the Treasury Office of the Comptroller of the\n                      Currency\xe2\x80\x99s (OCC) network and systems.\n\n                      To accomplish our objective, we performed a series of internal\n                      and external vulnerability assessments and penetration tests on\n                      OCC\xe2\x80\x99s workstations, servers, network-attached peripherals\n                      (such as cameras and printers), infrastructure devices, and\n                      Internet websites.\n\n                      Internal assessments were performed on-site at OCC\xe2\x80\x99s new\n                      headquarters facility in Washington, DC, in February and March\n                      of 2013. The internal assessment was conducted inside OCC\xe2\x80\x99s\n                      network, behind Treasury Network (TNet14) firewalls, with full\n                      knowledge of OCC, and we were provided the same system\n                      access, physical assets, information, and other resources\n                      available to OCC employees stationed at headquarters. We also\n                      used Office of Inspector General (OIG) owned and licensed\n                      hardware and software, including Core Impact and Nexpose.\n                      During our tests, we notified OCC information security staff of\n                      issues we discovered that we believed may have been indicative\n                      of serious problems that would require their immediate\n                      attention. While at OCC headquarters, we performed social\n                      engineering tests by e-mail and phone phishing15 to determine\n                      whether OCC\xe2\x80\x99s Help Desk was able to prevent and detect\n                      attempts at impersonating OCC employees. We also conducted\n                      limited tests of the physical security by attempting to enter the\n                      building from the outside without using OCC-issued badges.\n                      Lastly, we followed up on the status of the findings in our prior\n                      report from 2008.16\n\n                      External assessments were performed from OIG headquarters\n                      via non-TNet connections and using only OIG hardware and\n                      software, and information available to the general public.\n\n14\n   TNet is a wide area network that provides Treasury with e-mail, Internet, and voice traffic\napplications.\n15\n   Phishing is a fraud method where the perpetrator uses what appears to be official communication\nsuch as e-mail or phone calls in an attempt to gather information from recipients.\n16\n   OIG, Information Technology: Network Security at the Office of the Comptroller of the Currency\nNeeds Improvement, OIG-08-035 (June 3, 2008)\n\n\n\n                      OCC\xe2\x80\x99s Network and Systems Security Controls Were Deficient           Page 20\n                      (OIG-14-001)\n\x0cAppendix 1\nObjective, Scope and Methodology\n\n\n\nIn accordance with the agreed-upon Rules of Engagement, we\nexcluded TNet, as well as tests that could have adversely\naffected operations and may have resulted in denial of service\nto OCC employees or customers.\n\nUpon completion of our tests, we provided OCC\xe2\x80\x99s Information\nTechnology audit liaison with the reports generated by our\nautomated assessment tools so that timely corrective actions\ncould be taken. The reports provided details on specific\nvulnerabilities detected and exploited, and the tools\xe2\x80\x99 suggested\nactions necessary to address them. We also briefed OCC\nInformation Technology management at the end of our on-site\nevaluation on our activities and access we gained over the\ncourse of our audit, including our analysis of the issues reported\nby the tools we used.\n\nWe conducted this performance audit in accordance with\ngenerally accepted government auditing standards. Those\nstandards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis\nfor our finding and conclusions based on our audit objective. We\nbelieve that the evidence obtained provides a reasonable basis\nfor our findings and conclusions based on our audit objective.\n\n\n\n\nOCC\xe2\x80\x99s Network and Systems Security Controls Were Deficient   Page 21\n(OIG-14-001)\n\x0c        Appendix 2\n        Management Response\n\n\n\n\n( ) Office of the Comptroller of the Currency\n                                                                            Washington, DC 20219\n\n  September 23, 2013\n\n\n\n  Ms. Tram Jacquelyn Dang\n  Audit Director\n  Office of Inspector General\n  Department of the Treasury\n  Washington, DC 20220\n\n  Subject: Response to Draft Report\n\n  Dear Ms. Dang:\n\n  We have reviewed your draft report titled "Information Technology: OCC\'s Network and\n  Systems Security Controls Were Deficient." The report presents the results of the Office of\n  Inspector General\'s (OIG) internal and external vulnerability assessments and penetration tests\n  on OCC\'s network, systems and physical security.\n\n  You found that OCC\'s security measures were not sufficient to fully prevent and detect\n  unauthorized access into its network and systems by internal threats or external threats that\n  gained an internal foothold; security measures were not adequate to fully protect personally\n  identifiable information (PII) from Internet-based threats. You did, however, find that physical\n  security at the OCC\'s new headquarters is adequate. You make I I recommendations to address\n  the following deficiencies: use of default usernames and passwords; failure to fully implement\n  least privilege controls; vulnerability of PII to unauthorized access; vulnerability of e-mail to\n  spoofing; configuration management; vulnerability of Help Desk to social engineering; and patch\n  and version management.\n\n  We concur with your findings and recommendations. The enclosed table outlines our actions to\n  address them.\n\n  If you need additional information, please contact me or Ed Dorris, Chieflnformation Officer, at\n  202-649-600 I.\n\n\n  Si"\'=~~\n~urry\n  Comptroller of the Currency\n\n  Enclosure\n\n\n\n\n        OCC\xe2\x80\x99s Network and Systems Security Controls Were Deficient                                    Page 22\n        (OIG-14-001)\n\x0c      Appendix 2\n      Management Response\n\n\n\n\n                  OCC\'s Nehvork and Systems Security Controls Were Deficient\n      OIG Recommendation                           OCC Management Response\n#1 Develop and implement a        Standard operating procedures (SOPs) were updated on June\nstandard procedure requiring      6, 2013 to provide guidance that will ensure that all default\ndefault usemames and passwords user names and passwords are changed on all systems and\nbe changed on all systems and     devices. The updated SOPs require all devices to be subject\ndevices.                          to management controls, which include specific checks in the\n                                  review and approval process to ensure that usemames and\n                                  passwords are changed prior to introducing new or modified\n                                  software and/or devices to the network.\n#2 Change all default usemames All default usemames and passwords were changed or\nand passwords on all systems      updated effective September 2, 2013.\nand devices in an expeditious\nmanner.\n#3 Periodically review accounts   Effective August 16, 2013, the OCC began monthly scans to\nto detect default usemames and    identify default user names and passwords on software and\npasswords on all systems and      network devices which results in a Default Credentials\ndevices, and when detected,       report. In addition, OCC also conducts a Network\nchange them.                      Penetration Test every other month producing the Network\n                                  Penetration Test report. These reports identify default\n                                  usemames and passwords across network devices. OCC\n                                  immediately remediates any findings. Results are\n                                  periodically reported to the CIO, Deputy CIOs, and IT\n                                  director-level leadership.\n#4 Conduct a risk assessment of The OCC will complete a comprehensive assessment to\nOCC\'s network topology and        quantify the risks and gaps associated with the legacy "flat"\nimplement appropriate least       network topology, and will develop a Target Network\nprivilege controls.               Topology Architecture and Roadmap for enabling\n                                  appropriate least privilege controls by December 31, 2013.\n#5 Restrict network access as     OCC has strengthened its policies, procedures, and network\nrequired by business needs and    scanning for managing accounts with elevated privileges\nin accordance with risk           (i.e., domain administrators, X-accounts, and service\nassessment results and least      accounts). These changes mandate that elevated privileges\nprivilege principles.             are granted based on specific roles and subjected to a multi-\n                                  tiered review and approval adjudication process. The\n                                  domain administrator accounts have been adjudicated and\n                                  rationalized. The X-accounts will be rationalized by\n                                  December 15, 2013, and service accounts will be rationalized\n                                  by March 31, 2014. OCC will execute the approved Target\n                                  Network Topology Architecture and Roadmap to restrict\n                                  network access in accordance with business needs and least\n                                  privilege principles by March 17, 2014.\n\n\n\n\n                                               1\n\n\n\n\n      OCC\xe2\x80\x99s Network and Systems Security Controls Were Deficient                                  Page 23\n      (OIG-14-001)\n\x0c      Appendix 2\n      Management Response\n\n\n\n\n#6 Implement safeguards to         The default password for the Complaint Referral Express\nprotect PII on OCC\'s Internet      website was changed on April24, 2013, and the management\nwebsite.                           console for the Complaint Referral Express website was\n                                   decoupled from the publicly facing link on May 28, 2013.\n                                   All external OCC websites that contain Personally\n                                   Identifiable Information (PII) are secured and are not at risk\n                                   for data leakage. To ensure these sites remain secure, OCC\n                                   runs monthly vulnerability scans that detect weaknesses. In\n                                   summary, the OCC: I) has updated its policy and procedures\n                                   for securing sites with PII; 2) is using tools and manual\n                                   testing to conduct monthly security testing of all of its\n                                   external websites; and 3) has tested the specific method the\n                                   auditors used to exploit the website to ensure it could not be\n                                   reproduced on any other OCC websites.\n#7 Work with Fiscal Service to     In consultation with the Treasury Bureau of Fiscal Service\nensure controls are put in place   (BFS) and the OIG, the OCC implemented an alternate\nto prevent spoofed e-mails from    strategy to address the identified vulnerability, and the OCC\nbeing sent to or through OCC       began blocking unauthorized source spoofing of the\nservers.                           occ.treas.gov domain effective August 31, 2013.\n#8 Develop and implement           OCC has a specific policy that requires that mandatory\nprocedures to identify,            configuration settings be established for information\ndocument, and approve base         technology devices. To ensure consistent implementation of\nconfiguration settings for ports   this policy, OCC will: 1) complete a baseline comprehensive\nand services.                      configuration document reflecting the OCC\'s business needs\n                                   for using ports and services by September 30, 2013; 2)\n                                   update the existing configuration management process to\n                                   include the identification and documentation of essential\n                                   ports and services for application and hardware changes\n                                   effective October 3 1, 2013; and 3) continue its existing\n                                   monitoring and assessment processes to verify compliance\n                                   with the baseline configurations.\n#9 Disable or remove               New PCs deployed OCC-wide in FY13 restrict configuration\nunnecessary or unused services     changes and ability to install software, thereby limiting the\nor open ports.                     desktop to approved-only open ports and services. By\n                                   October I, 2013, OCC will implement procedures to\n                                   incorporate monthly monitoring and immediate disabling or\n                                   removal of unauthorized ports and services for all network\n                                   devices and applications; and by March 31, 2014, OCC will\n                                   disable or remove all unnecessary or unused services or open\n                                   ports identified in this audit. OCC is taking a methodical\n                                   approach (based on rigorous testing) in order to mitigate\n                                   disruption to business systems while disabling or removing\n                                   unused services and ports across network devices and\n                                   application portfolio.\n\n\n\n\n                                               2\n\n\n\n\n      OCC\xe2\x80\x99s Network and Systems Security Controls Were Deficient                                    Page 24\n      (OIG-14-001)\n\x0c      Appendix 2\n      Management Response\n\n\n\n\n#10 Improve the Help Desk\'s          A new password authentication method for password reset,\nprocedures for verification of       which does not use information available to others, was\nuser identities to prevent           implemented on July 22,2013. All users and OCC IT staff\nimpersonation. The procedures        were informed of the changes, and internal controls within IT\nshould provide for verification of   Customer Support were implemented to ensure compliance\nuser identity information that is    to the new policy.\nnot available to others.\n#II Ensure that systems and          Effective June 6, 2013, OCC implemented a bi-weekly\napplications are running             network scanning procedure for detecting and forecasting\nsupported and up-to-date             instances of end-of-life software; by September 30, 2013,\noperating systems.                   DCC will implement the End-of-Life and Unsupported\n                                     Software policy to manage end-of- life software within\n                                     specified timeframes and will implement procedures for\n                                     upgrading software on workstations, servers, and network\n                                     devices; and all instances of end-of-life software identified in\n                                     this audit will be resolved by no later than November 30,\n                                     2013.\n\n\n\n\n                                                  3\n\n\n\n\n      OCC\xe2\x80\x99s Network and Systems Security Controls Were Deficient                                        Page 25\n      (OIG-14-001)\n\x0cAppendix 3\nMajor Contributors to This Report\n\n\n\nOffice of Information Technology (IT) Audits\n\n   Tram J. Dang, Audit Director\n   Larissa Klimpel, IT Audit Manager\n   Dan Jensen, Auditor-in-Charge\n   Jason Beckwith, IT Specialist\n   Mitul \xe2\x80\x9cMike\xe2\x80\x9d Patel, IT Specialist\n   Don\xe2\x80\x99te Kelley, IT Specialist\n   Jeanne DeGagne, Referencer\n\n\n\n\nOCC\xe2\x80\x99s Network and Systems Security Controls Were Deficient   Page 26\n(OIG-14-001)\n\x0cAppendix 4\nReport Distribution\n\n\n\nOffice of the Comptroller of the Currency\n\n   Chief Information Officer\n\nDepartment of the Treasury\n\n   Office of Chief Information Officer\n   Associate Chief Information Officer for Cyber Security\n   Office of Strategic Planning and Performance Management\n   Office of the Deputy Chief Financial Officer, Risk and Control\n      Group\n\nOffice of Management and Budget\n\n   Office of Inspector General Budget Examiner\n\n\n\n\nOCC\xe2\x80\x99s Network and Systems Security Controls Were Deficient   Page 27\n(OIG-14-001)\n\x0c'